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DETAILED ACTION 

1 . Claims 1-20 are pending in this office action. This action is responsive to 
Applicant's application filed 3/9/2004. 

Information Disclosure Statement 

2. The Applicants' Information Disclosure Statements, filed on August 24, 2004 and 
February 23, 2007, have been received and entered into the record, Since the 
Information Disclosure Statements complies with the provisions of MPEP § 609, the 
references cited therein have been considered by the examiner. See attached forms 
PTO-1449. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefore, subject to the 
conditions and requirements of the title. 

3. Claims 8-10 are rejected under 35 U.S.C. 101 because the language of the claim 
raises a question as to whether the claim is directed merely to an abstract idea that is 
not tied to a technological art, environment or machine which would result in a practice 
application producing a concrete, useful, and tangible result to form the basis of 
statutory subject matter under 35 U.S.C 101 . 

As to claims 8-10 

The claims fail to place the invention squarely within one statutory class of 
invention. On page 5, paragraph 023 of the instant specification, applicant has provided 
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evidence that applicant intends the "medium" to include signals. As such, the claims 
are drawn to a form of energy. Energy is not one of the four categories of invention and 
therefore this claim(s) is/are not statutory. Energy is not a series of steps or acts and 
thus is not a process. Energy is not a physical article or object and as such is not a 
machine or manufacture. Energy is not a combination of substances and therefor not a 
composition of matter. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form 
the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent granted 
on an application for patent by another filed in the United States before the invention by the applicant for 
patent, except that an international application filed under the treaty defined in section 351(a) shall have 
the effects for purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 21(2) of such 
treaty in the English language. 

4. Claims 1 , 2 and 4 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Kaleret al. (US Patent Application No. 2003/0061541 A1, hereinafter "Kaler). 

As to claim 1 

Kaler teaches 

"A method for grouping log file entries by session" as a method and apparatus for 
analyzing the performance of a data processing system (page 1, paragraph 0002). 

Kaler also teaches the Visual Studio Analyzer (VSA) includes an efficient 
mechanism for collecting and transmitting the data to a central log (page 22, paragraph 
0339). Logs from multiple machines must be merged and sorted (page 1 , paragraph 
0015). 
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Kaler further teaches API for generating events from begin session to end 
session (page 16 top left, C interface code). 

"Storing a log file of entries in a memory, each of said entries identifying a client 
request to a server" as when the user's specified trigger condition is detected, the LEG 
can immediately transmit all of the buffered events to the VSA for logging (page 12, 
paragraph 0204). 

Kaler further teaches the client program sends a message to the server with 
appropriate arguments, and the server returns a message containing the results of the 
program executed (page 5, paragraph 0083). 

"Retrieving a subset of log file entries from the memory" as statements in the 
code and having the application write to a log file what was going on at different places 
in the network. Then all of the log files would need to be collected, merged, and sorted 
(page 1 , paragraph 0001 ). The VSA maintains a log of all of the events that have been 
collected (page 18, paragraph 0283). 

"Identifying each entry in the memory to identify entries in the subset of log file 
entries that belong to a complete client session" as some important pre-defined event 
fields are the Machine, Process, Entity, Instance (Session in the APIs) (page 9, 
paragraph 0139). 

Kaler further teaches BeginSession and EridSession (page 16, paragraph 0251- 

0252). 
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"Grouping entries in the subset that belong to a complete client session" as 
behind this visual depiction of the application model, the VSA maintains a log of all of 
the events that have been collected (page 18, paragraph 0283). 

Kaler also teaches there exist known tools called profilers. These look at a single 
executing software application and try to understand its performance. They do this 
either by monitoring the program or else they hook into the program they are monitoring 
and generate events each time a program subcomponent commences or completes 
(page 2, paragraph 0019). 

Kaler further teaches a Transition occurs when one entity (e.g. a program, 
process, or object) turns execution over to another to complete a specific task. The 
transition comprises four events, a Call event, an Enter event, a Leave event, and a 
Return event (page 10, paragraph 0172). 

As to claim 2 
Kaler teaches 

"A complete client session is identified by identifying all entries in the subset that 
are associated with a particular client session and that include both a beginning entry 
and an end entry" as BeginSession is called by an entity before it fires events to register 
its entity and instance names (source and session). EndSession is called by an entity 
after it completes firing events (page 1, paragraph 0251-0252). 



As to claim 4 
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Kaler teaches 

"An end entry for a client session is identified as any entry associated with that 
client session that has no other entries for that client session that occur within a session 
expiration window" as a number of user-customized, synchronized display windows 
show the constituent parts of the application execution and the corresponding 
performance characteristics, in both Gantt chart and graphical modes, either in real-time 
or post-mortem. A timeline window displays a visual representation of the timing of all 
related events. A summary window displays a distillation of the system performance 
during a user-selected time slice (page 3, paragraph 0038). 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth 
in section 102 of this title, if the differences between the subject matter sought to be patented and the 
prior art are such that the subject matter as a whole would have been obvious at the time the invention 
was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability 
shall not be negatived by the manner in which the invention was made. 

This application currently names joint inventors. In considering patentability of 

the claims under 35 U.S.C. 103(a), the examiner presumes that the subject matter of 

the various claims was commonly owned at the time any inventions covered therein 

were made absent any evidence to the contrary. Applicant is advised of the obligation 

under 37 CFR 1 .56 to point out the inventor and invention dates of each claim that was 

not commonly owned at the time a later invention was made in order for the examiner to 
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consider the applicability of 35 U.S.C. 103(c) and potential 35 U.S.C. 102(e). (f) or (g) 
prior art under 35 U.S.C. 1 03(a). 

5. Claims 3, 5-8, 1 1 and 14-18 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kaler et al. (US Patent Application No. 2003/0061541 A1) as applied 
to claim 1 above, and further in view of Moran (US Patent No. 6,826,697 B1, hereinafter 
"Moran"). 

As to claim 3 

Kaler does not explicitly teach the claimed limitation "an end entry is identified as 
any entry that corresponds to a logout request". 
Moran teaches 

System utilities that display login session times are aware of this situation and 
use a boot record as an implicit logout record for any sessions open at the time. These 
program also have another implicit close for login sessions: if there is a login record on 
the same line being used for an open session, the program implicitly closes that open 
session as of the time of the new login. Since there cannot be two active logins on the 
same line, the assumption is made that the logout record was somehow lost, and the 
new login is the best guess for the end of the previous one on that line (column 21 , lines 
11-20). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her. 
to modify Kaler an end entry is identified as any entry that corresponds to a logout 
request because that would allow a system administrator to be alerted whenever an 
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entry matching any of the patterns he has specified is written to a designated log file, 
thereby substantially reducing his need to manually check the log file as taught by 
Moran (column 10, lines 43-46). 

As to claim 5 

Kaler does not explicitly teach the claimed limitation "an end entry for a client 
session is identified as any entry having a first timestamp value, where the difference 
between first timestamp value and a second timestamp value associated with a 
subsequent entry in the subset of log files exceeds a timeout value". 

Moran teaches 

The analysis engine then checks the timestamps on files in each user's home 
directory for consistency with the recorded login sessions. The password table 
enumerates the users, their home directories, and their login shells. The last-access 
times on the RC files for the login shell are compared to the user's last recorded login 
(column 26, lines 26-32). 

Moran further teaches this access time is compared to the timestamps on files 
that the command is expected to access. If those timestamps are earlier than the last- 
access time on the SetUID* command, this is evidence that a SetUID buffer overflow 
attack may have occurred (column 34, lines 52-56). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler an end entry for a client session is identified as any entry having a first 
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timestamp value because that would allow the operator to examine the transaction 
history, but do not provide the context needed to effectively reevaluate the decisions as 
taught by Moran (column 32, lines 22-25). 

As to claim 6 

Although Kaler teaches a transition occurs when one entity turns execution over 
to another to complete a specific task (page 10, paragraph 0172) and EndSession is 
called by an entity after it completes firing events (page 16, paragraph 0252). 

Kaler does not explicitly teach the claimed limitation "outputting all entries in the 
subset of log file entries that do not belong to a complete client session as raw log 
data". 

Moran teaches 

Real-time systems are able to assume that the data they are operating on is 
accurate and complete within the expectations of the systems (column 9, lines 6-8). 

Moran further teaches the stereotypical pattern Js that when a valid username- 
password pair is entered, the login process writes a record to the utmp and wtmp files 
and updates the lastlog file. The utmp file tracks who is currently logged in, and the 
wtmp file provides a historical record, including both completed login sessions and 
active sessions (column 19, lines 60-65). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler outputting all entries in the subset of log file entries that do not belong to 
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a complete client session because that would allow real-time monitoring of larger 
volumes of traffic as taught by Moran (column 2, lines 56-57). 

As to claim 7 

Although Kaler teaches incomplete information is stored specially, and when 
other incomplete data arrives, there is an attempt to pair up the incomplete data using 
pre-defined heuristics (page 18, paragraph 0275). 

Kaler does not explicitly teach the claimed limitation "outputting as raw log data 
all entries in the subset of log file entries that belong to an incomplete client session 
which has a beginning entry but no end entry". 

Moran teaches 

Because of the complexity of the data, an embodiment may use a hybrid 
approach in its analysis engine. Incomplete data presents serious difficulties for a 
backward-chaining (column 38, lines 59-62). 

Moran also teaches the lastlog file contains the time of the last login for each 
user, and the previous value is written to the user's terminal as part of the hello 
message. When the user logs out, the getty process removes the corresponding entry 
from the utmp file and writes a session-end record to the wtmp file (column 19, line 66 
to column 20, line 3). 

Moran further teaches the file system occasionally gets corrupted, either from a 
hardware fault or because the system failed to complete a sequence of writes 
operations (column 30, lines 55-57). 
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Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler outputting as raw log data all entries in the subset of log file entries that 
belong to an incomplete client session because that would allow real-time monitoring of 
larger volumes of traffic as taught by Moran (column 2, lines 56-57). 

As to claim 8 
Kaler teaches 

"An article of manufacture having at least one recordable medium having stored 
thereon executable instructions and data which, when executed by at least one 
processing device, cause the at least one processing device" as a method and 
apparatus for analyzing the performance of a data processing system (page 1, 
paragraph 0002). Data is stored and retrieved for reading from and writing to hard-disk- 
drive interface, magnetic disk drive for reading from and writing to a removable 
magnetic disk, and optical disk drive for reading from and/or writing to a removable 
optical disk such as a CD-ROM, DVD or other optical medium (page 5, paragraph 
0089). 

"Read a plurality of records from a file' system into a ring buffer, where said 
plurality or records comprises a subset of all records in the file system" as data 
collection begins in the lECs. An lEC is a subroutine that marshals the desired data into 
a special format and puts it in a shared memory buffer (page 7. paragraph 01 1 1). 
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Kaler also teaches data is organized so ifs easy to write, since incoming data 
volume can be very high, and also so it's easy to read directly from disk, since dataset 
size will typically preclude loading all data into memory (page 8. paragraph 0124). 

Kaler further teaches the control station can also specify a reset condition. It can 
also specify how many events the LEG should store in its circular buffer (e.g. ring buffer) 
store (page 21 , paragraph 320). 

"Scan each record in the ring buffer to identify a user session for said record and 
to identify any start or end records in the ring buffer" as collection and transmission of 
dynamic data is expensive, and a filter is scanned for clauses that specifically refer to 
the dynamic information that is required (page 13, paragraph 0217). 

Kaler further teaches while waiting for a trigger condition to occur, events are 
retained, transiently by the LEG in a circular buffer (e.g. ring buffer) whose size can be 
specified by VSA. For example, VSA can specify that the buffer store 500 events, so 
when the 501st event comes in, the first event is written over (page 13, paragraph 
0203). 

Kaler does not explicitly teach the claimed limitation "allocate, for each identified 
user session, an index to identify all records in the ring buffer that are associated with 
the identified user session and to identify all start or end records; and process the index 
to group all records in the ring buffer belonging to a complete user session, to output the 
grouped records for further analysis". 

Moran teaches 
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Session identifier, this is an index to a data structure specifying the conditions for 
this particular invocation of this sensor. This data structure includes the host that the 
sensor collected data from and the options specified for this invocation (page 18, lines 
41-45). 

Moran also teaches the sensor that processes lastlog makes two passes over 
the file. The file is an array of struct lastlog data structures, indexed by the User ID 
(column 23, lines 55-57). 

Moran teaches the extent can identify the specific user whose records were 
tampered with depends upon the size of the struct lastlog records and on the pattern of 
allocation of User IDs on the host (column 24, lines 1-4). 

Moran further teaches when a valid username-password pair is entered, the login 
process writes a record to the utmp and wtmp files and updates the lastlog file. The 
utmp file tracks who is currently logged in, and the wtmp file provides a historical record, 
including both completed login sessions and active sessions (column 19, lines 61-65). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler to allocate user session and to identify all start or end records because 
that would allow a system administrator to be alerted whenever an entry matching any 
of the patterns he has specified is written to a designated log file, thereby substantially 
reducing his need to manually check the log file as taught by Moran (column 10, lines 
43-46). 
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As to claim 1 1 
Kaler teaches 

"A system for session-based processing of log files using a data processing 
system and network session data collected from one or more users" as a method and 
apparatus for analyzing the performance of a data processing system (page 1 . 
paragraph 0002). 

Kaler also teaches the Visual Studio Analyzer (VSA) includes an efficient 
mechanism for collecting and transmitting the data to a central log (page 22. paragraph 
0339). Logs from multiple machines must be merged and sorted (page 1, paragraph 
0015). API for generating events from begins session to end session (page 16 top left, 
C interface code). 

Kaler further teaches in the graphical Ul, users are presented with three trees, 
each appearing in a separate window, that represents the key information: a 
Machines/Processes window, a Components window, and a Categories/Events window. 
The Machines/Processes window presents all of the machines being monitored and the 
processes on the machines (page 14, paragraph 0230). 

Kaler does not explicitly teach the claimed limitation "a log file collection system 
for collecting a plurality of server request entries, wherein a server request entry 
comprises a session identifier; a processing engine to process at least a subset of the 
plurality of server request entries to group the server request entries by session using 
the session identifier in each server request entry". 

Moran teaches 
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Session identifier, this is an index to a data structure specifying the conditions for 
this particular invocation of this sensor. This data structure includes the host that the 
sensor collected data from and the options specified for this invocation (page 18, lines 
41-45). 

Moran also teaches the data collection modules are designed to be lightweight 
and relatively simple, and different data sources are handled by different modules. 
These modules extract the data and add identifying information for the fields, simplifying 
the task for the analysis engine (column 10, lines 12-16). 

Moran further teaches when a valid username-password pair is entered, the login 
process writes a record to the utmp and wtmp files and updates the lastlog file. The 
utmp file tracks who is currently logged in, and the wtmp file provides a historical record, 
including both completed login sessions and active sessions (column 19, lines 61-65). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler a processing engine to process at least a subset of the plurality of 
server request entries to group the server request entries by session because that 
would allow a system administrator to be alerted whenever an entry matching any of the 
patterns he has specified is written to a designated log file, thereby substantially 
reducing his need to manually check the log file as taught by Moran (column 10, lines 
43-46). 



As toxlaim 14 
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Kaler does not explicitly teach the claimed limitation "a parser for further analysis 
the web server request entries that have been grouped by session to generate a user 
session history". 

Moran teaches 

A secondary source is provided by the access times on the files related to the 
user shells: the shell Run Command files indicate the last usage of the shell by that user 
account, and this typically corresponds to the last login. The access time on the logout 
RC file and the last-modification time on the shell's history file provide secondary 
evidence for the last logout on that account (column 23, lines 9-16). Various shells 
provide a session history mechanism, allowing the user to edit and repeat previous 
commands. These shells also allow the history to be saved over sessions (column 26, 
lines 53-56). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler analysis the web server request entries that have been grouped by 
session to generate a user session history because that would allow the operator to 
examine the transaction history, but do not provide the context needed to effectively 
reevaluate the decisions as taught by Moran (column 32, lines 22-24). 



As to claim 15 
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Kaler does not explicitly teach the claimed limitation "the processing engine 
generates an output file containing web server request entries corresponding to one or 
more complete user sessions". 

Moran teaches 

The utmp file tracks who is currently logged in, and the wtmp file provides a 
historical record, including both completed login sessions and active sessions (column 
19. lines 63-65). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler log file entries corresponding to one or more complete user sessions 
because that would allow real-time monitoring of larger volumes of traffic as taught by 
Moran (column 2, lines 56-57). 

As to claim 16' 

Kaler does not explicitly teach the claimed, limitation "the processing engine 
generates an output file containing web server request entries corresponding to one or 
more incomplete user sessions". 

Moran teaches 

The file system occasionally gets corrupted, either from a hardware fault or 
because the system failed to complete a sequence of write operations (column 30, lines 
55-57). 
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Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler entries corresponding to one or more incomplete user sessions because 
that would allow real-time monitoring of larger volumes of traffic as taught by Moran 
(column 2. lines 56-57). 

As to claim 17 

Kaler does not explicitly teach the claimed limitation "the processing engine 
generates an output file containing web server request entries corresponding to one or 
more user sessions that do not include an end session entry". 

Moran teaches 

The lastlog file contains the time of the last login for each user, and the previous 
value is written to the user's terminal as part of the hello message. When the user logs 
out, the getty process removes the corresponding entry from the utmp file and writes a 
session-end record to the wtmp file (column 19, line 66 to column 20, line 3). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler request entries corresponding to one or more user sessions that do not 
include an end session entry because that would allow real-time monitoring of larger 
volumes of traffic as taught by Moran (column 2, lines 56-57). 



As to claim 18 
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Kaler teaches 

"A system for parsing web site logs one session at a time, comprising: means for 
storing network session data from at least one server log file" as the VSA includes an 
efficient mechanism for collecting and transmitting the data to a central log (page 22, 
paragraph 0339). 

Kaler further teaches data objects, which can be used to access different types of 
data, including web pages, spreadsheets, and other types of documents (page 4, 
paragraph 0072). 

"Means for reading a subset of the network session data" as BeginSession is 
called by an entity before it fires events to register its entity and instance names (source 
and session). EndSession is called by an entity after it completes firing events (page 1, 
paragraph 0251-0252). 

"Means for processing the subset of the network session data to group said 
network session data by session" as the set of APIs includes an interface that enables 
the operating system to read any one or more of several fields in the application. These 
fields include arguments, source machine, source process, source session and target 
session (page 15, paragraph 0246). 

"Means for generating a first output file containing network session data grouped 
by session" as API for generating events from begin session to end session (page 16 
top left, C interface code). 

"Means for parsing said first output file" as implementations involve writing data 
to disk. Even if the input/output (I/O) is buffered asynchronously (page 1, paragraph 
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0012). All of the log files would need to be collected, merged, and sorted. The developer 
would then have to sift through the data in a time-intensive fashion (page 1 , paragraph 
.0009). 

Although kaler teaches data objects which can be used to access different types 
of data, including web pages (page 4. paragraph 0072). 

Kaler does not explicitly teach the claimed limitation "a system for parsing web 

site". 

Moran teaches 

Computer network also includes an Internet access server configured to enable 
users of host computer systems connected to the computer network to access the 
Internet and in particular to access web pages via the World Wide Web by sending and 
receiving hypertext transfer protocol (HTTP) transmissions (column 7, lines 20-25). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler and Moran before him/her, 
to modify Kaler a system for parsing web site because that would allow real-time 
monitoring of larger volumes of traffic as taught by Moran (column 2, lines 56-57). 

6, Claims 9 and 12 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Kaler et al. (US Patent Application No. 2003/0061 541 A1 ) as applied to claims 8 and 1 1 
above, and further in view of Moran (US Patent No. 6.826,697 B1 ) and Balsamo et al 
(US Patent Application No. 2002/0099806 Al. hereinafter "Balsamo"). 
As to claim 9 
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Kaler does not explicitly teach the claimed limitation "the index comprises: a 
session record for each identified user session for keying into the ring buffer to identify 
log records associated with said identified user session; a hash table for keying into the 
session record based upon session key information; a linked listing of last seen log 
records for each session; and a linked list of first seen log records for each session". 

Moran teaches 

Session identifier, this is an index to a data structure specifying the conditions for 
this particular invocation of this sensor (page 18, lines 41-44). 
Also, Balsamo teaches 

A data collection system includes a processor and a memory storing a computer 
program product for execution in the processor. The computer program product 
removes duplicate records produced from gathering statistics concerning network data 
packets and includes instructions to determine whether a session key associated with 
the network record maps to an active session (page 1, paragraph 0008). 

Balsamo also teaches if the network accounting records (NAR) type could have 
several records in a session, then the order node will need to process the NAR and 
keep track of the NAR. The order node process will make a time stamp. The session 
table, which can be implemented as a hash table, will store the session key and a time 
(page 9, paragraph 0097). 

Balsamo further teaches the chaining of the nodes provides a data flow 
architecture in which input data/records are fed to the first node in the chain and the 
output records/data from the nodes are received from the last node of the chain. The 
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data that is processed by each node is processed in an order in which nodes are 
arranged in the chain (page 2, paragraph 0034). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler, Moran and Balsamo before 
him/her, to modify Kaler a hash table for keying into the session record based upon 
session key information because that would allows user to specify which nodes are to 
receive output NARS from the node as taught by Balsamo (page 7, paragraph 0079). 

As to claim 12 
Kaler teaches 

"A ring buffer for storing the subset of the plurality of web server request entries" 
as the control station can also specify filters, for example a first filter and a second filter. 
The control station can also specify a reset condition. It can also specify how many 
events the LEG should store in its circular buffer (e.g. ring buffer) store (page 21, 
paragraph 0320). 

Kaler does not explicitly teach the claimed limitation "the processing engine uses 
a plurality of data structures to group the web server request entries by session, said 
plurality of data structures comprising: a per-session record for keying into the ring 
buffer, a hash table for keying into the per-session records, a linked list of last 
processed web server request entries for each session, and a linked list of first 
processed web server request entries for each session". 

Moran teaches 



Application/Control Number: 1 0/796,31 7 Page 23 

Art Unit: 2163 

Computer network also includes an Internet access server configured to enable 
users of host computer systems connected to the computer network to access the 
Internet and in particular to access web pages via the World Wide Web by sending and 
receiving hypertext transfer protocol (HTTP) transmissions (column 7, lines 20-25). 

Moran further teaches session identifier, this is an index to a data structure 
specifying the conditions for this particular invocation of this sensor (page 18, lines 41- 
44). 

Also, Balsamo teaches 

A data collection system includes a processor and a memory storing a computer 
program product for execution in the processor. The computer program product 
removes duplicate records produced from gathering statistics concerning network data 
packets and includes instructions to determine whether a session key associated with 
the network record maps to an active session (page 1 , paragraph 0008). 

Balsamo also teaches if the network accounting records (NAR) type could have 
several records in a session, then the order node will need to process the NAR and 
keep track of the NAR. The order node process will make a time stamp. The session 
table, which can be implemented as a hash table, will store the session key and a time 
(page 9, paragraph 0097). 

Balsamo further teaches the chaining of the nodes provides a data flow 
architecture in which input data/records are fed to the first node in the chain and the 
output records/data from the nodes are received from the last node of the chain. The 
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data that is processed by each node is processed in an order in which nodes are 
arranged in the chain (page 2, paragraph 0034). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler, Moran and Balsamo before 
him/her, to modify Kaler a hash table for keying into the session record based upon 
session key information because that would allows user to specify which nodes are to 
receive output NARS from the node as taught by Balsamo (page 7, paragraph 0079). 

7. Claims 10, 13, 19 and 20 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kaler et al. (US Patent Application No. 2003/0061541 A1) as applied 
to claims 8, 1 1 and 18 above, and further in view of Moran (US Patent No. 6,826,697 . 
B1) and Clark (US Patent No. 6,965,634 B1, hereinafter "Clark"). 
As to claim 10 

Although Kaler teaches while waiting for a trigger condition to occur, events are 
retained transiently by the LEC in a circular buffer whose size can be specified by VSA. 
For example, VSA can specify that the buffer store 500 events, so when the 501st event 
comes in, the first event is written over (page 13, paragraph 0203). 

Kaler does not explicitly teach the claimed limitation "the ring buffer iniplements a 
sliding window to process all of the log records in the file system into complete user 
sessions by sequentially adding and removing log records to the ring buffer until all of 
the log records in the file system have been processed". 

Clark teaches 
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This span of time is called the time uncertainty window; and the operation of 
redefining the past and future edges of the window, and updating the stored timing data 
accordingly, is called sliding the window (column 9, lines 15-19). 

Clark further teaches a method of updating a linked list uses time indexes that 
are modulo incremented and an old index value instead of using pointers, where array 
information is stored in a circular buffer and the old index value is updated to manage 
an end of the list (column 3, lines 20-25). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler, Moran and Clark before 
him/her, to modify Kaler the ring buffer implements a sliding window because that would 
allowing an authorized receiver acquire some timing information as taught by Clark 
(column 3, lines 14-16). 

As to claim 1 3 

Kaler does not explicitly teach the claimed limitation "the processing engine uses 
a sliding memory window to process the subset of the plurality of web server request 
entries". 

Clark teaches 

This span of time is called the time uncertainty window; and the operation of 
redefining the past and future edges of the window, and updating the stored timing data 
accordingly, is called sliding the window (column 9, lines 15-19). 
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Therefore, it would have been obvious to one of ordinary sl<ill in the art at the 
time the invention was made, having the teachings of Kaler, Moran and Clark before 
him/her, to modify Kaler the ring buffer implements a sliding window because that would 
allowing an authorized receiver acquire some timing information as taught by Clark 
(column 3, lines 14-16). 

As to claim 1 9 

Kaler does not explicitly teach the claimed limitation "means for reading a subset 
of the network session data comprises a sliding window". 
Clark teaches 

This span of time is called the time uncertainty window; and the operation of 
redefining the past and future edges of the window, and updating the stored timing data 
accordingly, is called sliding the window (column 9, lines 15-19). 

Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made, having the teachings of Kaler, Moran and Clark before 
him/her, to modify Kaler the network session data comprises a sliding window because 
that would allowing an authorized receiver acquire some timing information as taught by 
Clark (column 3, lines 14-16). 

As to claim 20 
Kaler teaches 
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"Means for reading a subset of the network session data comprises a ring buffer" 
as while waiting for a trigger condition to occur, events are retained transiently by the 
LEG in a circular buffer (e.g. ring buffer) whose size can be specified by VSA (page 12, 
paragraph 0203). 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to applicant' disclosure. 

Glommen et al. (US Patent No. 6,393,479 B1). 

Fruchtman et al. (US Patent Application No. 2002/0099843 A1). 

McNamara et al. (US Patent No. 5,487,066 A). 

Schneider et al. (US Patent Application No. 2002/0049883 A1). 
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